git.ipfire.org Git - thirdparty/systemd.git/commit

creds: add explicit control on whether to allow null key decryption

The ability to encrypt/authenticate encryption with a null key was
originally just a fallback concept for cases where during early boot we
have no host key, but the local system has no TPM2. Nowadays it is used
for other stuff as well, such as pcrlock data propagation (i.e. data
that needs no protection itself and required to properly to TPM key
derivation).

Let's give better, explicit control over null key usage, i.e. let's make
it a tristate both on the systemd-creds command line and in the Varlink
IPC to control three cases:

- the default that we allow it only if SecureBoot is off
- explicitly allowed
- explicitly refused (this is new)

Ideally systemd-creds --allow-null switch would take a boolean argument
to control this as a tristate. Alas, that would be a compat break, hence
I added --refuse-null instead (which also maps to the low-level flag for
this).

This also normalizes that the null key is always called "null key" in
messages, and not sometimes "empty key" or "fallback key".

author	Lennart Poettering <lennart@poettering.net>
	Tue, 7 Oct 2025 16:37:07 +0000 (18:37 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Wed, 8 Oct 2025 07:18:28 +0000 (09:18 +0200)
commit	e921d6d40fda2e4aa2d77b4659e01e8ff7de7a92
tree	334d683f97201ef95d847573a45f880c309c9c86	tree \| snapshot
parent	76d5d38fcc1afbf6b8340073754ea9bed81d865c	commit \| diff

man/systemd-creds.xml		diff \| blob \| blame \| history
src/creds/creds.c		diff \| blob \| blame \| history
src/shared/creds-util.c		diff \| blob \| blame \| history
src/shared/creds-util.h		diff \| blob \| blame \| history
src/shared/varlink-io.systemd.Credentials.c		diff \| blob \| blame \| history
test/units/TEST-54-CREDS.sh		diff \| blob \| blame \| history